What is it?
The General Data Protection Regulation (GDPR) introduced the biggest changes to data protection law in Europe in more than 20 years, along with huge fines if you don’t comply.
The GDPR affects every organisation that processes personal data.
The new wider definition of ‘personal data’ covers any information about an identified or identifiable individual, but to identify someone you do not need to know their name. It is enough if you can single them out from a group, by means of an identification number, location data or online identifier (such as an IP address) or something that is specific to their physical, physiological, genetic, mental, economic, cultural or social identity.
Who does it affect?
As a Regulation, it applies directly in every EU Member State without the need for national legislation. It applies to all personal data, in whatever format it is held (including structured paper files) and whenever it was collected, so you need to ensure that any personal data you collect complies with it.
Organisations that process personal data on the instructions of another organisation, e.g. hosting companies, are having a particularly steep learning curve because they are subject to statutory obligations for the first time.
Data protection compliance is a constant and iterative process. You need to be moving towards compliance and revising your approach in the light of developments, such as how the UK decides to exercise its discretion in certain areas as well as new guidance and cases in the UK and Europe.
So where can you find up to date and reliable information about what you need to do?
Guidance will eventually be issued by the European data protection authorities, but it could be a long time before they can agree it.
Are you ready?
You could look through the vast amount of information online, but can you tell what is relevant? Much of the information is based on earlier drafts that have since been amended or replaced, or it is written from the perspective of countries with a very different approach to privacy, such as the US.
Your solicitor could help you, but is he or she a specialist in data protection, information security and risk management?
Where we fit in
We can explain what you need to do to reach the standards. For example, there are new data protection principles. You will need to take steps throughout the lifecycle of your data, from the moment you start designing your processes until the processing is completed, to ensure you are complying (the principle of “Data Protection by Design”).
You will also need to show, at every stage of your processing, how you are complying (the principle of “Accountability”).
What we provide
We can help you through the whole process by providing general awareness seminars or more detailed training for those who are more closely involved. We provide pragmatic advice and can draft documents, including notices, policies, procedures, guidelines and Data Protection Impact Assessments.
You may need a Data Breach Incident Management Policy, so you can be confident that you can identify a personal data breach and report it to the ICO within 72 hours, or you may need to revise your existing policy to cover new issues, such as unauthorised reversal of pseudonymisation.
GDPR and IT Security
In relation to IT security, the GDPR recommends the use of pseudonymisation and encryption as well as regular testing of security measures, e.g. Vulnerability Testing, Penetration Testing and Control Testing.
We can also help you with these and guide you through the certification process for Cyber Essentials, ISO/IEC 27001:2013 and PCI-DSS too.